I have a YouTube channel which is under a different Google account to my normal one. I have a secure password with it, and an alternate e-mail address set up, but I thought I'd see how secure the password recovery feature was and whether I could gain access with hardly any information.

It took me 10 minutes and I had full access. They sent a password reset link to an e-mail address I entered that has never been associated with my account in any way. They also never sent me an e-mail at the actual address associated with the account to tell me that the password had been changed by someone else, so if someone else had gained control of the account I wouldn't even have been notified of it!

This is all I had to do to get access:

Enter the YouTube username.

Click Verify identity.

Enter an e-mail address that they would later send a reset link to if they liked my answers.

Answer about 20 questions.

The first one was this:

I entered a completely random word.

Most of the rest of the questions are optional and can be figured out really easily by actually viewing the info on the YouTube channel. For example,

What date (roughly) did you join Google?

Select from this list the Google products you use and when you started using them.

At the end it said that it could take a day for someone to review the answers, but the e-mail with the reset link came through in the next few minutes.

In my opinion this is appalling and I don't understand how they could have made such a mess of it. I don't use two-factor authentication but I would hope that this would make some difference.

When you change your password they force it to be of a certain standard, and they even block you from using previous passwords. This is all good but completely pointless if it can be bypassed by anyone so easily.

On the subject of the 'last password you remember'

Does this mean that Google is storing account passwords in clear text? If they were creating hashes then don't understand how an answer to this question would be of any use to them as they'd have no idea how similar the one entered was to the actual one in the database.

Here's my actual question!

Is there a way of either disabling the whole password recovery system altogether? Or is there a way of just disabling the 'Verify your identity' bit, which in my opinion shouldn't even exist in the first place? It should at least be an opt-in feature.

I also think they should allow you to disable the option 'Receive via: an automated phone call' because anyone can answer the phone and get the confirmation code really easily. If the number you've got set is your mobile you will probably have a lock screen so random people can't read your messages, but anyone could answer a phone call even if it is locked. I know that some phones show a preview of new texts so you have to be careful of that as well (but that's not Google's problem).

I realise as well that they might have used the fact that the requests were from the usual IP address, but I still don't think this is anywhere near enough info to unlock the account for someone.

And what do you do if you disable it and actually need it afterwards?
–
AlexMay 24 '12 at 21:09

1

Well then you're stuck. You shouldn't have forgot it in the first place! I just think there should be the option to disable it. The options (excluding the 'verify your identity' multiple choices) are fine as they use methods that you personally have added and that only you have access to to be contacted by.
–
Tom JenkinsonMay 24 '12 at 21:48

1

What's your question? All I see here is a rant.
–
Al E.May 29 '12 at 13:45

1

Is there a way of either disabling the whole password recovery system all together? Or is there a way of just disabling the 'Verify your identity' bit?
–
Tom JenkinsonMay 29 '12 at 16:46

2 Answers
2

Google is probably using information that it has not specifically requested of you during the password reset process in order to verify your ownership of the account. Specifically, tokens stored on your computer, and your IP address.

I had a similar experience to yours, which initially alarmed me, and tested the above theory by using the Tor browser to perform the reset. This browser redirects a Web session through Tor's own servers in Europe, making your session more anonymous.

The result was a much more aggressive set of questions. The first time I attempted to reset the password, I just blew them off, and hit a brick wall. I tried a second time, and once I had answered the questions somewhat correctly, I was presented with an emailed link to a reset page. When I clicked that link, since I have two-step verification set up, I was presented with a demand for a number provided by the Google Authenticator app on my phone. I provided that number and only then was I allowed to reset the password.

This experience gives me more confidence in the process. Google, while fallible, is not a huge corporate playpen full of idiots. Password security is a critical feature of Google's business, and I'm sure that they have thought long and hard about how best to allow legitimate users who are schleppy enough to lose passwords to get them back without allowing thieves to run off with all the Google accounts.

There is no way of disabling Google password recovery. I've gone through the settings. There is just no way. And, based on a fair amount of research, "Verify your identity" cannot be disabled either.

It appears that you have a separate YouTube account with a separate user name and password. Note that the password recovery procedure is different for YT-only compared to Google accounts. It seems to be less secure.

Move YouTube to Google Apps

Using Google Apps (even the free version) would allow you to create a user without admin rights who cannot under any circumstances reset his own password. It is similar to working with a user account under Windows for security purposes.

Edit: Possibly, a Google Apps account would not feature the "Verify your identity" recovery option. I cannot verify this and I have found no support evidence. But it is worth a try as there seems to be no other option.

Enable 2-step verification

Enabling 2-step verification will improve your security because the password alone would be insufficient to hack your account. Obviously, this will only work after linking your YouTube account to a Google Account.

Thanks. It already is linked to a google account. I'm not sure how creating a new user with limited privileges would help because you would still always be able to reset the password for the main account. I have enabled 2-step verification now but it still gives you the option to 'verify your identity' anyway, in case the extra security you set up doesn't work, and it looks like it runs into the same set of questions defeating the object. All I want is the option to disable the 'verify identity' option. Most sites don't have this and I would never use it as I always have access to my e-mail.
–
Tom JenkinsonMay 28 '12 at 20:54

Do you know if there's a way I could contact google?
–
Tom JenkinsonMay 28 '12 at 20:55

@TomJenkinson I have expanded my answer. Sorry I had not grasped the difference between "Verify your identity" (VYI) and password recovery. Question: Were you able to bypass 2-step verification with VYI as well?
–
user 99572 is fineMay 28 '12 at 21:19

2

I've just gone through the process again like I did before by choosing the option that said you couldn't access your mobile (which took me to VYI). I've just got an e-mail from them which links to a help page about 2 step verification and it said reply if you still have a problem. This looks promising as before they just sent me a link straight away. I've just replied and said I can't log in and I'll post here if I manage to get them to send me a reset link.
–
Tom JenkinsonMay 28 '12 at 21:33